diff options
author | Phil Sutter <phil@nwl.cc> | 2021-09-21 16:42:36 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2021-09-27 13:29:38 +0200 |
commit | f9b33967f2b4b58160c0a970da77d5e44406803a (patch) | |
tree | 193643d0af4bdab4503430dbeb74ec0e7642beec /iptables/nft.h | |
parent | 4318961230bce82958df82b57f1796143bf2f421 (diff) |
nft: Check base-chain compatibility when adding to cache
With introduction of dedicated base-chain slots, a selection process was
established as no longer all base-chains ended in the same chain list
for later searching/checking but only the first one found for each hook
matching criteria is kept and the rest discarded.
A side-effect of the above is that table compatibility checking started
to omit consecutive base-chains, making iptables-nft less restrictive as
long as the expected base-chains were returned first from kernel when
populating the cache.
Make behaviour consistent and warn users about the possibly disturbing
chains found by:
* Run all base-chain checks from nft_is_chain_compatible() before
allowing a base-chain to occupy its slot.
* If an unfit base-chain was found (and discarded), flag the table's
cache as tainted and warn about it if the remaining ruleset is
otherwise compatible.
Since base-chains that remain in cache would pass
nft_is_chain_compatible() checking, remove that and reduce it to rule
inspection.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables/nft.h')
-rw-r--r-- | iptables/nft.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/iptables/nft.h b/iptables/nft.h index a7b652ff..ef79b018 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -45,6 +45,7 @@ struct nft_cache { struct nftnl_set_list *sets; bool exists; bool sorted; + bool tainted; } table[NFT_TABLE_MAX]; }; @@ -262,6 +263,7 @@ void nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw); bool nft_is_table_compatible(struct nft_handle *h, const char *table, const char *chain); +bool nft_is_table_tainted(struct nft_handle *h, const char *table); void nft_assert_table_compatible(struct nft_handle *h, const char *table, const char *chain); |